The Espionage Act Evidence WaPo Spins as Obstruction Evidence

/91 Comments/in , , /by

The WaPo, with Devlin Barrett as lead byline and Mar-a-Lago Trump-whisperer Josh Dawsey next, has a report describing either new evidence or more evidence of obstruction in the stolen documents case.

Some of it, such as that investigators “now suspect that boxes including classified material were moved from Mar-a-Lago storage area after the subpoena was served,” is not new — not to investigators and not to the public. The version of the search affidavit released on September 14 showed that on June 24 investigators subpoenaed the surveillance footage for the storage room and at least one other, still-redacted location, going back to January 10, 2022, long before subpoena for documents with classification marks was served on May 11. So unless Trump withheld surveillance footage, then DOJ has known since early July 2022 on what specific dates boxes were moved. And a redacted part of the affidavit explains the probable cause the FBI had in August that there might be classified documents in Trump’s residential suite.

In other words, much of what WaPo describes is that DOJ has obtained substantial evidence since August to prove the probable cause suspicions already laid out in their August warrant affidavit. You don’t search the former President’s beach resort without awfully good probable cause, and they were able to show substantial reason to believe that Trump had boxes moved to his residence after he received the May 11 subpoena, where he sorted out some he wanted to keep, eight months ago.

They’ve just gotten a whole lot more proof that they were right, since.

Other parts of the story do describe previously unknown (to us, at least) details, and those may be significantly more important for Trump’s fate. The most intriguing, to me, is that witnesses are being asked about Trump’s obsession with Mark Milley.

Investigators have also asked witnesses if Trump showed a particular interest in material relating to Gen. Mark A. Milley, the chairman of the Joint Chiefs of Staff, people familiar with those interviews said. Milley was appointed by Trump but drew scorn and criticism from Trump and his supporters after a series of revelations in books about Milley’s efforts to rein in Trump toward the end of his term. In 2021, Trump repeatedly complained publicly about Milley, calling him an “idiot.”

The people did not say whether investigators specified what material related to Milley they were focused on. The Post could not determine what has led prosecutors to press some witnesses on those specific points or how relevant they may be to the overall picture that Smith’s team is trying to build of Trump’s actions and intent.

Remember that reports on investigations, especially ones that include Mar-a-Lago court reporters, often amount to witnesses attempting to share questions they’ve been asked with other witnesses or lawyers. Trump’s team has no idea what kinds of classified items were seized. This detail suggests that among the classified documents seized are a document or documents pertaining to Milley.

According to Bobs Woodward and Costa in Peril, Milley called China twice in the last months of the Trump administration to reassure his counterpart that the US was not going to attack China without some build-up first.

On Friday, October 30, four days before the election, Chairman Milley examined the latest sensitive intelligence. What he read was alarming: The Chinese believed the United States was going to attack them.

Milley knew it was untrue. But the Chinese were on high alert, and whenever a superpower is on high alert, the risk of war escalates. Asian media reports were filled with rumors and talk of tensions between the two countries over the Freedom of Navigation exercises in the South China Sea, where the U.S. Navy routinely sails ships in areas to challenge maritime claims by the Chinese and promote freedom of the seas.

There were suggestions that Trump might want to manufacture a “Wag the Dog” war before the election so he could rally the voters and beat Biden.

[snip]

This was such a moment. While he often put a hold on or stopped various tactical and routine U.S. military exercises that could look provocative to the other side or be misinterpreted, this was not a time for just a hold. He arranged a call with General Li.

Trump was attacking China on the campaign trail at every turn, blaming them for the coronavirus. “I beat this crazy, horrible China virus,” he told Fox News on October 11. Milley knew the Chinese might not know where the politics ended and possible action began.

To give the call with Li a more routine flavor, Milley first raised mundane issues like the staff-to-staff communications and methods for making sure they could always rapidly reach each other.

Finally, getting to the point, Milley said, “General Li, I want to assure you that the American government is stable and everything is going to be okay. We are not going to attack or conduct any kinetic operations against you.

“General Li, you and I have known each other for now five years. If we’re going to attack, I’m going to call you ahead of time. It’s not going to be a surprise. It’s not going to be a bolt out of the blue.

The two Bobs also described how, in the days after January 6, Milley reviewed nuclear launch procedures with senior officers of the National Mission Command Center to make sure he would be in the loop if Trump ordered the use of nukes.

Without providing a reason, Milley said he wanted to go over the procedures and process for launching nuclear weapons.

Only the president could give the order, he said. But then he made clear that he, the chairman of the JCS, must be directly involved. Under current procedure, there was supposed to be a voice conference call on a secure network that would include the secretary of defense, the JCS chairman and lawyers.

“If you get calls,” Milley said, “no matter who they’re from, there’s a process here, there’s a procedure. No matter what you’re told, you do the procedure. You do the process. And I’m part of that procedure. You’ve got to make sure that the right people are on the net.”

If there was any doubt what he was emphasizing, he added, “You just make sure that I’m on this net. “Don’t forget. Just don’t forget.”

He said that his statements applied to any order for military action, not just the use of nuclear weapons. He had to be in the loop.

Since these details about Milley came out, Trump and his frothers have claimed Milley committed treason, in concert with Nancy Pelosi (who had expressed concerns to Milley about the safety of America’s nuclear arsenal).

The attack on Milley is the same kind of manufactured grievance — often cultivated by investigation witness Kash Patel (who was DOD Chief of Staff during the transition) — as the Russian investigation. That other inflated grievance led Trump to compile a dumbass binder of sensitive documents that didn’t substantiate his grievances. If Trump did the same with Milley, either before or after he left office, those documents might include highly sensitive documents, including SIGINT reports about China’s response to Milley’s contacts.

If DOJ were ever to charge Trump for refusing to give back classified documents under 18 USC 793(e), DOJ would select a subset of the documents to charge, probably from among those seized in August. They would pick those that, if declassified for trial, would not do new damage to national security, documents that would allow prosecutors to tell a compelling story at trial. And given WaPo’s report, there’s good reason to think there’s a story they think they could tell about documents that may be part of Trump’s grievance campaign against Milley.

WaPo also described that witnesses are being asked whether Trump shared documents, including a map, with donors.

As investigators piece together what happened in May and June of last year, they have been asking witnesses if Trump showed classified documents, including maps, to political donors, people familiar with those conversations said.

According to the story, communications from Trump’s former Executive Assistant, Molly Michael, have been key for investigators.

[A]uthorities have another category of evidence that they consider particularly helpful as they reconstruct events from last spring: emails and texts of Molly Michael, an assistant to the former president who followed him from the White House to Florida before she eventually left that job last year. Michael’s written communications have provided investigators with a detailed understanding of the day-to-day activity at Mar-a-Lago at critical moments, these people said.

Michael is likely the person in whose desk drawer at least two of the classified documents seized in August were found: the two “compiled” with messages from a pollster, a faith leader, and a book author, the kind of document you would show to donors. That document, which combines two classified documents obtained before Trump left the White House with messages from after he left, is the kind of smoking gun that shows Trump didn’t just hoard documents because of ego (as Barrett reported even after the existence of this document was made public), but because he was putting classified documents to his own personal use. We learned back in November that there was evidence that Trump had used two classified documents in what sounds like a campaign document. Perhaps one of those classified documents was a map (of Israel? of Ukraine?).

Whatever it is, this is the kind of story prosecutors might like to tell at stolen classified document trials, not just because it would show Trump putting the nation’s secrets to his own personal gain and sharing classified documents with people who never had clearance, but because it would be proof that people on Trump’s team knew of and accessed documents after they lost their need to access such documents. This document would go a long way to proving that Trump didn’t just hoard classified documents out of negligence (which is currently the explanation why both Joe Biden and Mike Pence did), but because he wanted to make use of what he took.

Molly Michael is also the person who ordered a more junior aide to make a digital copy of Trump’s schedules from when he was President, an order that led to documents with classification markings being loaded to a laptop and likely to the cloud. That’s another example of the kind of exploitation of classified documents that would make a good story at trial.

It’s also the kind of story that could expose Michael herself to Espionage Act charges, such that she might work hard to minimize her own exposure. And yes, because she was Trump’s Executive Assistant, both at the White House and after he moved back to Mar-a-Lago, she likely can explain a lot about how Trump used documents he took from the White House and brought to Mar-a-Lago, including documents used as part of his political campaigning afterwards.

Without conceding it was incorrect, WaPo notes that in November, after it was already public that Trump had self-interested reason to refuse to return documents, it reported it was all just ego (it now attributes that conclusion entirely to what Trump told his aides, not — as claimed in the first line of last fall’s story — what “Federal agents and prosecutors have come to believe”).

Such alleged conduct could demonstrate Trump’s habits when it came to classified documents, and what may have motivated him to want to keep the papers. The Post has previously reported that Trump told aides he did not want to return documents and other items from his presidency — which by law are supposed to remain in government custody — because he believed they belonged to him.

Even in a story describing prosecutors collecting evidence about at least two stories about classified records that they might tell at a trial, the WaPo remarkably suggests to readers that obstruction is the primary crime being investigated here.

The application for court approval for that search said agents were pursuing evidence of violations of statutes including 18 USC 1519, which makes it a crime to alter, destroy, mutilate or conceal a document or tangible object “with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency.”

A key element in most obstruction cases is intent, because to bring such a charge, prosecutors have to be able to show that whatever actions were taken were done to try to hinder or block an investigation. In the Trump case, prosecutors and federal agents are trying to gather any evidence pointing to the motivation for Trump’s actions.

[snip]

Investigators have also amassed evidence indicating that Trump told others to mislead government officials in early 2022, before the subpoena, when the National Archives and Records Administration was working with the Justice Department to try to recover a wide range of papers, many of them not classified, from Trump’s time as president, the people familiar with the investigation said. While such alleged conduct may not constitute a crime, it could serve as evidence of the former president’s intent.

By treating this as only an obstruction investigation, WaPo incorrectly claims that lying to NARA (as opposed to the FBI) could not be part of a crime.

Here’s my attempt to lay out the elements of offense of both crimes — what prosecutors would have to prove at trial (I wrote more about the elements of an 18 USC 793e charge here and here).

To prove obstruction, DOJ would focus on the things of which — WaPo describes — Jack Smith’s team has developed substantial proof. Most conservatively, they would pertain to a grand jury investigation, because that application would be uncontroversial. After DOJ sent Trump a grand jury subpoena (which would be presented at trial as proof that Trump had notice of the grand jury investigation, his knowledge of which Evan Corcoran’s recent testimony would further corroborate), Trump took steps to hide documents and thereby prevent full compliance with that subpoena, and so thwarted a grand jury investigation. That’s your obstruction charge.

DOJ could charge a second act of obstruction tied to NARA’s effort to recover documents as part of its proper administration of the Presidential Records Act. But such an application would be guaranteed to be appealed. So the safer route would be to charge behavior that post-dates Trump’s knowledge of the grand jury investigation (and indeed, WaPo describes a close focus on events that took place starting last May).

But Trump’s longer effort to deceive the government in order to hoard documents is proof of 18 USC 793(e). To prove that, DOJ would need to prove that the government, whether NARA or FBI, told Trump he was not authorized to have documents covered by the Presidential Records Act, a subset of which would include documents with classification marks. They would need to show that Trump had been told about why he needed to protect classified records, which Trump’s former White House counsels and Staff Secretary have described (and documented) doing. For good measure they would show that Jay Bratt affirmatively told Trump that he had been (and, the August search would prove, was still) storing classified documents in places not authorized for such storage.

To prove 18 USC 793(e) at trial, you would need to describe specific documents Trump refused to give back and explain to a jury why they fit the definition of National Defense Information, material that remained closely held that, if released, could do damage to the US. That may be why they’re asking questions about Trump’s obsession with Milley or sharing maps with donors: because it’s part of the story that prosecutors would tell at trial, if they were to charge 18 USC 793.

All of which is to say that WaPo not only reported that DOJ has collected more evidence to prove what DOJ already suspected when they did the search on August 8, but they’ve been collecting information that would go beyond that, to a hypothetical Espionage Act charge.

Charging a former President with violating the Espionage Act is still an awfully big lift, and in the same way that charging obstruction for impeding NARA’s proper administration of the Presidential Records Act would invite an appeal, charging 18 USC 793(e) in DC would invite a challenge on venue (and charging it in Florida would risk spending the next three years fighting Aileen Cannon). But in addition to developing more evidence to prove the suspicions that they already substantiated in August, WaPo describes Jack Smith’s team asking the kinds of questions — about specific documents that might be charged as individual violations of the Espionage Act — that you’d ask before charging it.

Asking whether Trump (or Molly Michael or anyone else from Trump’s PAC) showed donors a classified map in a package also showing polling and a faith leader’s support for Trump’s policy in an attempt to raise money doesn’t get you evidence of obstruction. If the map is classified, though, it gets you proof that Trump not only knew he had classified documents, but had turned to profiting off of them.

That’s not a guarantee they’re going to charge 18 USC 793e. It’s a pretty good sign they’re collecting evidence that might support that charge.

Update: CNN has a much more measured story, describing how Jack Smith’s team is locking in the voluntary testimony they got last summer.

The new details come amid signs the Justice Department is taking steps typical of near the end of an investigation.

The recent investigative activity before a federal grand jury in Washington, DC, also includes subpoenaing witnesses in March and April who had previously spoken to investigators, the sources said. While the FBI interviewed many aides and workers at Mar-a-Lago nearly a year ago voluntarily, grand jury appearances are transcribed and under-oath – an indication the prosecutors are locking in witness testimony.

[snip]

The grand jury activity – expected to continue to occur at a frequent clip in the coming weeks – builds upon several known reactions Trump and others around him had to the DOJ’s attempt to reclaim classified records last year, and which prompted the FBI to obtain a judge’s approval to search Mar-a-Lago in August for classified records.

Some of the evidence the DOJ has used to persuade a judge to allow that search is still under seal.

It also notes that Smith is still pursuing how a box including documents with classification marks came to be brought back to Mar-a-Lago after the search.

Since then, the Justice Department has pushed for answers around how a box with classified records ended up in Trump’s office after the FBI search took place.

Share this entry

Trump’s People Have Attempted to Cover Up That He Cheated to Cover Up Cheating in 2016 at Least Six Times

/176 Comments/in , , /by

Among the things Trump said in his tweet yesterday complaining that he had been “indicated” is that his criminal prosecution was “a continuing attack on our once free and fair elections.”

Thanks to the former President for reminding us what the charges against him, in part, are about: That he cheated to win.

Whether it would have made a difference or not, Donald Trump believed it sufficiently important to lie to American voters about fucking two women– both Karen McDougal and Stormy Daniels — that both were paid in the last months of his 2016 campaign to prevent voters from finding out.

Paying his former sex partners to hide from voters that he cheated on Melania is not, itself, illegal.

Having corporations pay sex workers for the purpose of benefitting a political campaign is. The company that owned the National Enquirer paid for the first payment, to McDougal; Trump Organization, by reimbursing the payment that Michael Cohen made, eventually paid for the second payment, to Daniels.

The charges brought against Trump in NY reportedly relate, at least in part, to the second payment — to the treatment of the reimbursement to Cohen as a legal retainer rather than a reimbursement for a political donation. That is, the cheapskate billionaire, who could have legally paid off the women himself, allegedly covered up his cover-up.

Trump’s eponymous corporate persons have already been found guilty of serving as personal slush funds. In 2019, he admitted the Trump Foundation had engaged in self-dealing. And last year, a jury convicted Trump Organization of compensating employees via untaxed benefits rather than salary.

The new charges against Trump aren’t so much unprecedented, as they simply charge Trump’s biological person with the same crimes for which his corporate persons have already been convicted.

But there’s more history here, too. On multiple occasions, agents of Donald Trump reportedly engaged in further attempts to cover-up this cover-up.

Trump Organization withheld multiple documents from investigators. Most known documents that were withheld — such as the email showing Cohen had a substantive conversation with a Dmitri Peskov aide during the election — pertain to Russia, but it’s certainly possible they withheld others.

In 2018, in the days after SDNY seized phones that included recordings of conversations about the hush payments, Trump is suspected of floating a pardon to Cohen to keep him quiet, about this and about the impossibly lucrative Trump Tower deal both had lied to hide from voters in 2016.

In an email that day to Cohen, [Robert] Costello wrote that he had spoken with Giuliani.1026 Costello told Cohen the conversation was “Very Very Positive[.] You are ‘loved’. . . they are in our corner. . . . Sleep well tonight[], you have friends in high places.”1027

Cohen said that following these messages he believed he had the support of the White House if he continued to toe the party line, and he determined to stay on message and be part of the team.1028 At the time, Cohen’s understood that his legal fees were still being paid by the Trump Organization, which he said was important to him.1029 Cohen believed he needed the power of the President to take care of him, so he needed to defend the President and stay on message.1030

Cohen also recalled speaking with the President’s personal counsel about pardons after the searches of his home and office had occurred, at a time when the media had reported that pardon discussions were occurring at the White House.1031 Cohen told the President’s personal counsel he had been a loyal lawyer and servant, and he said that after the searches he was in an uncomfortable position and wanted to know what was in it for him.1032 According to Cohen, the President’s personal counsel responded that Cohen should stay on message, that the investigation was a witch hunt, and that everything would be fine.1033

Note that the payments for Cohen’s legal fees — which stopped after he pled guilty — are another expense that Trump Organization may not have accounted for properly.

Later in 2018, during the period where he was feigning cooperation with Mueller’s prosecutors but really just stalling past the midterm elections, Paul Manafort attempted to lie about some aspect of a different investigation

Manafort gave different versions of events surrounding an incident in the summer 2016 that was potentially relevant to the investigation: one version that was more incriminating was given prior to signing the plea agreement (on September 13, 2018), and another that was more benign was made after on October 5, 2018, after his plea. When confronted with the inconsistency by the government and his own counsel, Manafort largely retracted the second version.

A footnote in that discussion cites the Cohen plea, suggesting the 2016 conversations that Manafort lied to prosecutors in an attempt to spin pertained to these hush payments.

83 See United States v. Cohen, 18-cr-602 (S.D.N.Y. 2018); Information, United States v. Cohen, 18-cr602 (S.D.N.Y Aug. 21, 2018) (Doc. 2).

Unlike Cohen, of course, Manafort did get a pardon.

In the months after Cohen’s plea, Main DOJ attempted to interfere in the Cohen investigation repeatedly, as laid out in Geoffrey Berman’s book. They did so first on Rod Rosenstein’s orders, by demanding the SDNY rewrite Cohen’s statement of offense to hide the degree to which Trump ordered the hush payments (Rosenstein’s deputy, Ed O’Callaghan tried to eliminate all reference to Individual-1).

We then sent a copy to Rod Rosenstein, informing him that a plea was imminent. The next day, Khuzami, who was overseeing the case, received a call from O’Callaghan, Rosenstein’s principal deputy.

O’Callaghan was aggressive.

Why the length, he wanted to know. He argued that now that Cohen is pleading guilty we don’t need all this description.

[Robert] Khuzami responded, What exactly are you concerned about? O’Callaghan proceeded to identify specific allegations that he wanted removed, almost all referencing Individual-1.

It quickly became apparent to Khuzami that, contrary to what O’Callaghan professed, it wasn’t the overall length or detail of the document that concerned him; it was any mention of Individual-1.

[snip]

The team was tasked with the rewrite and stayed up most of the night. The revised information, now twenty-one pages, kept all of the charges but removed certain allegations, including allegations that Individual-1 acted “in concert with” and “coordinated with” Cohen on the illegal campaign contributions. The information now alleged that Cohen acted in concert and coordinated with “one or more members of the campaign.” But in the end, everything that truly needed to be in the information was still there.

Then, after Bill Barr came in, he amazingly tried to order SDNY to dismiss the charges against Cohen entirely, the functional equivalent of what he tried with Mike Flynn, undoing a successful criminal prosecution after the fact.

When Barr took over in February 2019, he not only tried to kill the ongoing investigations but—incredibly—suggested that Cohen’s conviction on campaign finance charges be reversed.

Barr summoned Rob Khuzami in late February to challenge the basis of Cohen’s plea as well as the reasoning behind pursuing similar campaign finance charges against other individuals. Khuzami was told to cease all investigative work on the campaign finance allegations until the Office of Legal Counsel, an important part of Main Justice, determined there was a legal basis for the campaign finance charges to which Cohen pleaded guilty—and until Barr determined there was a sufficient federal interest in pursuing charges against others.

Barr had Steven Engel write up an OLC opinion about the charges (which is likely one of the reasons SDNY didn’t charge Trump).

About six weeks later, Khuzami returned to DC for another meeting about Cohen. He was accompanied by Audrey Strauss, Russ Capone, and Edward “Ted” Diskant, Capone’s co-chief. Barr was in the room, along with Steven Engel, the head of the Office of Legal Counsel, and others from Main Justice. A fifteen-page memo, drafted by Engel’s office, had been provided to our team the day before, which they were still analyzing. I learned later that it was an intense meeting.

When SDNY refused to dismiss the case against Cohen, Barr tried to transfer the case to EDNY, under Richard Donoghue, so he could kill it.

 About a week after our office tussled with Barr and Engel, Barr attempted to do just that. Word was passed to me from one of Barr’s deputies that he wanted Richard Donoghue, the US Attorney for the Eastern District of New York (who would later transfer to Main Justice to work under Barr), to take over supervision of anything I was recused from.

At the same time that Barr was trying to cover up that Trump cheated to win in 2016, Republicans on the FEC were joining in the cover-up. After FEC’s General Counsel recommended acting on several complaints about the payments, Republican Commissioners Sean Cooksey and Trey Trainor refused to do so because, they said, Michael Cohen had already been prosecuted for it and, thanks to Trump’s own actions, there was a backlog of other complaints.

Before the Commission could consider the Office of General Counsel’s (“OGC”) recommendations in these matters, Mr. Cohen pleaded guilty to an eight-count criminal information,2 and in connection thereto admitted, among other things, to making an excessive contribution in violation of the Act by making the Clifford payment from his personal funds. 3 The plea hearing transcript includes a step by step review of how U.S. District Judge William Pauley verified the plea, confirming that a federal judge was sufficiently satisfied with the circumstances surrounding the plea deal and the responses given by Cohen at the hearing, including the explanations given by Cohen, count by count, during his allocution.4 Ultimately Mr. Cohen was sentenced to three years in prison and ordered to pay $1.39 million in restitution, $500,000 in forfeiture, and $100,000 in fines for two campaign finance violations (including the payment at issue in these matters) and other charges. In sum, the public record is complete with respect to the conduct at issue in these complaints, and Mr. Cohen has been punished by the government of the United States for the conduct at issue in these matters.

Thus, we concluded that pursuing these matters further was not the best use of agency resources.5 The Commission regularly dismisses matters where other government agencies have already adequately enforced and vindicated the Commission’s interests.6 Furthermore, by the time OGC’s recommendations came before us, the Commission was facing an extensive enforcement docket backlog resulting from a prolonged lack of a quorum, 7 and these matters were already statute-of-limitations imperiled.

This was one of 22 credible campaign finance allegations against Trump that Republicans refused to consider, nothing less than a partisan effort to make the leader of their party immune from all campaign finance rules.

There’s a lot of shite being written about how the indictment of a former President — for actions that stem from cheating to win — will test democracy.

But Trump’s serial cover-ups of his own actions in this and other matters already threaten democracy.

Trump is right: This is about free and fair elections. This is, like most of his allegedly criminal behavior, about his refusal to contest elections fairly. It’s about his corruption of the entire Republican Party, from top to bottom. And it’s about one of at least six times that Trump and his agents have tried to cover up that he cheated to win in 2016.

Share this entry

Donald Trump, Accused Criminal

/254 Comments/in /by

NYT reports that Trump has been indicted. CNN has confirmed.

A Manhattan grand jury voted to indict Donald J. Trump on Thursday for his role in paying hush money to a porn star, according to four people with knowledge of the matter, a historic development that will shake up the 2024 presidential race and forever mark him as the nation’s first former president to face criminal charges.

The felony indictment, filed under seal by the Manhattan district attorney’s office, will likely be announced in the coming days. By then, prosecutors working for the district attorney, Alvin L. Bragg, will have asked Mr. Trump to surrender and to face arraignment on charges that remain unknown for now.

These are just the training wheel charges.

Share this entry

The Yahoos in Brazil Identified in Sergey Cherkasov’s Complaint

/29 Comments/in , , /by

There’s a detail in Greg Miller’s profile of Sergey Cherkasov, the Russian accused of posing under an assumed Brazilian identity and using a SAIS degree to get an internship at the ICC, that confirms something I’ve long assumed: the US has had a hand in the recent roll-up of Russian spies, mostly in Europe.

He was due to start a six-month internship there last year — just as the court began investigating Russian war crimes in Ukraine — only to be turned away by Dutch authorities acting on information relayed by the FBI, according to Western security officials.

[snip]

His arrest last April came at the outset of an ongoing roll-up of Russian intelligence networks across Europe, a crackdown launched after Russia’s invasion of Ukraine that officials say has inflicted greater damage on Kremlin spy agencies than any other effort since the end of the Cold War.

The FBI and CIA have played extensive behind-the-scenes roles in this wave of arrests and expulsions, according to Western officials.

As Miller describes, the Dutch realized that Russians stationed in the Hague were preparing to welcome a new agent, but by then, the US already had an incredibly detailed dossier on him.

On March 31, as he boarded a flight to Amsterdam, neither Cherkasov nor his GRU handlers seemed aware of the net closing in on him. By then, the Dutch intelligence service had picked up its own signals that the Russian Embassy in The Hague was making preparations for the arrival of an important new illegal, according to a Western security official.

Authorities in the Netherlands then received a dossier from the FBI with so much detail about Cherkasov’s identity and GRU affiliation that they concluded the bureau and the CIA had been secretly monitoring Cherkasov for months if not years, according to a Western official familiar with the matter.

Until DOJ charged him last week, this had been largely a European story, with Dutch intelligence crowing about their success at foiling his plans and Bellingcat serially unpacking his public life (though CNN published this story at the time). Significantly, the Dutch published his legend and an explanation of how it might be used, with translations into Dutch and English from the original Portuguese.

As noted below, the US would later source its own possession of the legend to devices seized from Cherkasov on arrest in Brazil.

However, as Brazil gets closer to extraditing Cherkasov back to Russia on a trumped up narcotics trafficking charge, the US stepped in to make their own claim with the criminal charges: multiple counts of fraud, as well as acting as an unregistered foreign power. It’s not yet clear how Brazil will respond to the competing charges. Contrary to some reporting on the charges, DOJ has not yet indicted the case. The complaint has not yet been docketed.

Which is why I wanted to look at the sourcing for the complaint.

Many of the sources in the complaint come via way of Brazil, temporally after the Dutch deported him and the Brazilians arrested him, and so long past the time the US shared “a dossier” from the FBI reflecting months if not years of review. Brazil-sourced evidence includes:

  • A picture taken on Cherkasov’s 2011 immigration into Brazil
  • His Brazilian birth certificate
  • The details behind Brazil’s identity theft charges
  • Items collected — as if for the first time — from devices Cherkasov had with him when he arrived in Brazil, including:
    • The hard drive
    • Thumb drive 1
    • Thumb drive 2
    • Thumb drive 3, including:
      • March 2022 emails of unknown provider with details about a dead drop
      • Details about his dead drop site
      • March 2022 emails about paying for false Portuguese citizenship
      • March 2022 mails about establishing a meeting place
    • Samsung Galaxy Note phone
      • His mother’s Kaliningrad contact
      • 90 contacts with someone whose Telegram account and VKontakte account lead to a 2011 picture of Cherkasov in military uniform and a 2008 picture with friends
      • Contacts from one of those friends to a posted picture in military uniform (a picture also shown in the original Bellingcat profile)
  • Devices collected from the dead drop shared by Brazilian authorities
  • Correspondence between Brazil and Russia about Cherkasov
  • Audio messages between Cherkasov and his fiancée from immediately after his arrest in the Netherlands
  • Post-arrest communications between Cherkasov and his one-time fiancée, at least some of which were photographs of hand-written notes
  • Validation of Cherkasov’s ID in certain photos from FBI agents who met him in 2022 (though these meetings are not explicitly described to have taken place in Brazil)
  • A Bellingcat story debunking the Russian narcotics charges against Cherkasov

The focus on the phone, especially, cites evidence that would be fairly easily collected via other sources, but attributes that evidence to analysis the FBI did only downstream from the Brazilian arrest, and with the assent of Brazil. The complaint doesn’t explain whether these devices were encrypted or even what messaging applications were used, at least on the thumb drives including communications with his handlers. But there’s at least some reason to believe Brazil let FBI take the lead on exploiting those devices.

To be sure, there are items that the US could have collected in the US, whether before or after Cherkasov flew to the Hague, such as an Uber receipt timed to his travel to the dead drop in Brazil and IP addresses tied to US-based cloud providers like Yahoo and Google. Just once does the complaint reference using legal process — a 2017 video from a Moscow airport restaurant, obtained using legal process, reflecting Cherkasov saying goodbye to his mother — though it doesn’t describe what kind (it sounds like it could be iCloud content).

Still, the emphasis on material obtained with subpoenas and investigative steps done while Cherkasov has been in Brazilian custody — whether or not that was the first that FBI obtained such evidence — is one reason I’m interested in the outliers.

This is a document that could form basis to extradite Cherkasov to the US — it seems more than sufficient to make that case. But it’s also a document that might reflect on the kinds of investigations that have contributed to efforts to roll up spies outside of the US.

First, there are details about communications that Cherkasov had, while studying at Trinity College in Ireland and so not a US person at all — via known Section 702 participant, Yahoo!!! — with a tour agent who wrote recommendations for Cherkasov then later worked in Russia’s Consul General and, apparently, the General Consul himself.

CHERKASOV used the Yahoo 1 Account on multiple occasions to contact individual “C2” who was communicating with CHERKASOV from Brazil. C2 communicated with CHERKASOV on numerous matters, including financial matters, between at least July 22, 2016, and December 27, 2019. According to a translation of C2’s curriculum vitae, C2 worked in Brazil at “The General Consulate of the Russian Federation,” for “General Consul [M.G.]”

[snip]

35. Other emails show C2 took direction from another person, M.G., about financial payments that C2 sent to CHERKASOV. In correspondence between C2 and M.G., C2 refers to M.G. as “Mikhail” and the email address is identified in C2’s contacts as “MikhailRussia.” For example, on or about November 30, 2016, C2 forwarded M.G. correspondence from CHERKASOV that indicated another payment to CHERKASOV was imminent. M.G. responded by sending an email to C2 instructing C2 to make a payment to CHERKASOV: “Friend; thank you very much. Let’s do another one on the 14th of December.” According to further correspondence, CHERKASOV was able to receive the original transaction intended via MoneyGram. However, after corresponding to CHERKASOV that C2 would attempt to make transactions via Western Union the following day, financial records indicate C2 attempted to make two separate transactions via Western Union shortly after on December 16 and 18, 2016, for $842.65 and $867.55, respectively, but the funds were never transferred to CHERKASOV. CHERKASOV corresponded on December 19, 2016, that Western Union would not work properly and moving forward, the transactions should be made via Moneygram. C2 corresponded back to CHERKASOV on December 20, 2016, that C2 had sent €750 again via Moneygram to CHERKASOV.

36. C2 also stated in other emails that C2 previously owned a travel agency in Brazil, and that the Russian Federation was one of C2’s best clients. C2 later moved to the Russian Consulate after C2 closed the travel agency.

37. On or about March 8, 2017, C2 wrote a letter of recommendation for CHERKASOV for a university located in Canada. In the letter, C2 indicated FERREIRA worked as a travel consultant for C2 from May 2014 until March 2017, and as a senior event manager in

It’s possible that something Cherkasov did while at SAIS triggered a larger investigation that worked its way back to two likely Russian spies in Brazil. It’s also possible that the investigation started from known subjects in Brazil and thereby discovered Cherkasov.

But one thing these two references do — aside from identify the travel agent later made part of the official Russian delegation, aside from making Cherkasov’s tie to Russian government officials necessary for the 18 USC 951 charge — is put both Brazil and Russia on notice that the US is aware of these two suspected intelligence officers who were or are in Brazil.

Both C2 and the Consult General would have been legal targets for the entirety of the period in question and (as noted) Cherkasov was while he was in both Ireland or Brazil.

Another of the relatively few pieces of evidence unmoored from the Brazil arrest pertains to collection Cherksov shared after taking a SAIS trip to Israel. The details around the reporting — the single use email directing Cherkasov to fly to the Philippines to meet — definitely give the story spy drama.

Just as interesting, however, are the descriptions of the identifiable US (and Israeli) subjects targeted by Cherksov’s collection.

45. On or about January 16, 2020, CHERKASOV, using his D.C.-based phone number, texted with M.S. at a Philippines-based number for M.S. the following:

CHERKASOV: Hey [M],7 I arrived…Where do you want to meet?

[M.S.]: Grab a taxi and ask to drive via skyway.

CHERKASOV: On my way. Will be there in approx. 15 min.

[M.S.]: Ok. Here

CHERKASOV: I can’t find it

[M.S.]: Names?

CHERKASOV: Yea, I’ll text you then when I’m in the airport.

CHERKASOV: Texting you the names.

CHERKASOV: Sent you a list there. Now whom we met.

CHERKASOV: All people from the Jerusalem Embassy, literally every single one, even LGBTQ advisor. [N.G.]8 – security expert, local. I think he is a spook. [?.L.]9 kingmaker’ – [Israeli political] party leader

CHERKASOV: The previous list didn’t sent [sic], I’ll retype it.

CHERKASOV: Can I send it to you email?

CHERKASOV: This SMS shit kills me

[M.S.]: Sure.

46. On or about January 17, 2020, CHERKASOV sent M.S. an email with a screen shot of names, mostly U.S. persons (“USP”), stating the following: Just a list of interesting people that I was talking to you about Experts side: [USP 1]10– DoS, middle Eastern direction advisor the president admin, former [University 1] student.

[USP 2]11– FDD, military security adviros [sic] to the Congress Committee on Intelligence, [USP 3]’s12 assistant. [“TT1”] 13 group: [USP 4]14– [USP 5]15 chair, came only for a day though, [USP 6]16– main guy to call shots, Israeli expert came with small team of his own. [University 1, University 2] student leader: [USP 7]17– Anapolis [sic] Naval Academy Cyber Sec instructor

While just one of the people involved in Cherkasov’s targeting — his SAIS professor, Eugene Finkel — has explicitly spoken out about being duped by Cherkasov, virtually all of these people (and a bunch more described later in the complaint) are likely to be able to identify themselves.

There are a few I suspect I recognize and, if I’m right, they’ve been apologists for Trump’s propaganda about Russia.

Notably, this messaging involved a US-based phone, one not obviously included among the devices seized from Cherkasov when he returned to Brazil. The FBI Agent who wrote the affidavit couldn’t have obtained the messaging in real time — he or she has only worked at the FBI since 2021, and the messaging dates to early 2020. But the affidavit does reference “surveillance that I have conducted.”

In general, the FBI is revealing almost nothing obtained via sensitive sources and methods — that’s one reason the reliance on evidence obtained via Brazil is of interest to me. Given how the US has allowed European countries to take credit for these stings, I find it interesting that the US almost creates the misimpression that it only discovered Cherkasov — that it accessed his legend that the Dutch had upon his arrest — when he arrived in Brazil.

But in just a few spots, the affidavit gives a glimpse of what else the US Intelligence Community might know.

The US has not really taken much credit for helping a bunch of European countries roll up Russian spies (though they’re likely reminding them of the role Section 702 plays in the process). But this document, seemingly released because they had reason to exert legal pressure with a country that is fairly close to Russia, likely serves multiple purposes. While it doesn’t give away a lot, it does hint at far more.

Update, 4/6: The Guardian reported that two suspected Russian illegals, one presenting as Brazilian and the other presenting as Greek-Mexican, disappeared in January.

Halfway through a trip to Malaysia in January, Gerhard Daniel Campos Wittich stopped messaging his girlfriend back home in Rio de Janeiro and she promptly launched a frantic search for her missing partner.

A Brazilian of Austrian heritage, Campos Wittich ran a series of 3D printing companies in Rio that made, among other things, novelty resin sculptures for the Brazilian military and sausage dog key chains.

[snip]

The Brazilian foreign ministry and Facebook communities in Malaysia mobilised to look for the missing man. But Campos Wittich had simply disappeared.

Greece believes Campos Wittich was a Russian illegal with the surname Shmyrev, said the official, while his wife, “Maria Tsalla”, was born Irina Romanova. She married him in Russia before their missions began and took his surname, the Greeks claim. She left Athens in a hurry in early January, just after Campos Wittich left Brazil. Neither have returned.

If I’m right that the FBI chose to use the Cherkasov complaint in part to identify those in Brazil who were running illegals, it may be because the disappearance of another Brazilian illegal in January led the US Intelligence Community to believe Russia had figured out what the US knew.

Share this entry

Donald Trump’s Dumbass Russia Binder

/54 Comments/in , , , , /by

There is some tie between Donald Trump’s effort — as one of his last acts as President — to declassify a binder of materials from the Crossfire Hurricane investigation and his hoarding of still-classified documents that could get him charged under the Espionage Act.

It’s not yet clear what that tie is, though.

On May 5 of last year, Kash Patel offered the declassification effort as an alibi, claiming Trump had declassified a bunch of materials, including not just the Crossfire Hurricane materials, but everything else discovered in boxes returned to NARA in January 2022. Kash’s claim would be included in the search affidavit for Mar-a-Lago and ultimately lead to his compelled testimony in the investigation.

Last fall, at a time when Alex Cannon and Eric Herschmann would have been under some scrutiny for their role in Stefan Passantino’s dubious legal advice to Cassidy Hutchinson, Maggie Haberman told a story in which the Trump lawyers heroically warned Trump about the risks of holding classified documents. That story claimed Trump had offered to swap the documents he did have for the Russian-related documents the former President believed NARA had.

It was around that same time that Mr. Trump floated the idea of offering the deal to return the boxes in exchange for documents he believed would expose the Russia investigation as a “hoax” cooked up by the F.B.I. Mr. Trump did not appear to know specifically what he thought the archives had — only that there were items he wanted.

Mr. Trump’s aides — recognizing that such a swap would be a non-starter since the government had a clear right to the material Mr. Trump had taken from the White House and the Russia-related documents held by the archives remained marked as classified — never acted on the idea.

The story doesn’t mention Cannon’s role in a fall 2021 inquiry to NARA about the Russian documents. Nor does it say that National Archives General Counsel Gary Stern told Cannon and Justin Clark that NARA had 2,700 undifferentiated documents, but that the binder Trump wanted declassified had been rendered a Federal Record when it got sent back to DOJ.

That’s what NARA told John Solomon on June 23, 2022 — that Trump’s lawyers had requested the binder in fall 2021 — in Stern’s first explanation for why NARA didn’t have the binder.

John, fyi, last fall Justin Clark, another PRA representative of President Trump, also asked us for a copy of this declassified binder. Upon conducting a search, we learned that the binder had been returned to the Department of Justice on January 20, 2021, per the attached memo from Chief of Staff Mark Meadows to the Attorney General, titled “Privacy Act Review of Certain Declassified Materials Related to the FBI’s Crossfire Hurricane Investigation.”

Accordingly, we do not have the binder containing the declassified records. As we explained to Justin, what we were able to locate is a box that contains roughly 2700 undifferentiated pages of documents with varying types of classification and declassification markings, but we could not be certain of the classification status of any of the information in the box. We are therefore obligated under Executive Order 13526 to treat the contents of the box as classified at the TS/SCI level.

Then on August 9 and again on August 10 last year, immediately following the search on Mar-a-Lago, Solomon asked for all correspondence between Cannon and NARA up until days before the search.

Gary, John: My research indicates there may be a new wrinkle to the Russian declassified documents. As part of my authorized access, I would like to see all correspondence between NARA and attorney Alex Cannon between December 2020 and July 31, 2022. I think the information will have significant value to the public regarding current events. Can that be arranged?

[snip]

Checking back on this. It’s time sensitive from a news perspective. Can you accommodate?

Stern, no dummy, likely recognized that this information would not just have news value, but would also have value to those under criminal investigation; he responded with lawyerly caution. As NARA representative for Trump, he explained, Solomon was only entitled to access Presidential records — those that predate January 20, 2021 — and communications between Cannon and NARA post-dated all that. But, Stern helpfully noted, Cannon was cc’ed on the request for the Russian binder.

It’s important to clarify that, as a designated PRA representative of President Trump, you may receive access to the Presidential records of the Trump Administration that have been transferred to NARA, which date from January 20, 2017 to January 20, 2021.

Alex Cannon has represented President Trump on PRA matters (along with Justin Clark) only since the summer of 2021, principally with respect to the notification and review process in response to special access requests. Accordingly, there would not be any Trump Presidential records between NARA and Alex Cannon.

FYI, in my June 23 email to you (which is below within this email thread), I noted that “last fall Justin Clark, another PRA representative of President Trump, also asked us for a copy of this declassified binder.” Alex Cannon was cc’d on Justin’s request and our response. I am not aware of any other communications that would exist between NARA and Alex about this matter. [my emphasis]

That would be the only communications “about this matter,” seemingly distinguishing the Russian binder from the missing Presidential records.

At the time Maggie was distracting the chattering classes with the swap story, ABC had a very thorough story that revealed some of what Stern had explained to Solomon last year. That story suggests the month-long focus on the Russian binder had led overall compliance with the Presidential Records Act to be lacking. As Hutchinson tells it, it was worse, with 10 to 15 NSC staffers madly copying classified documents in the last days Trump was in office, with two sets of four copies — one still classified, one less sensitive — circulating to who knows where.

The tie between the Russian documents and the documents Trump stole may be no more than the alibi Kash tried to use them as, an attempt to claim that the limited declassification was instead a blanket effort. Perhaps it was also a failed effort to use Kash and Solomon as moles to figure out what NARA got back. Or perhaps some of these materials madly copied at the last moment were among the classified documents Trump took with him. Perhaps some of those materials were among the still-classified documents Trump took and hoarded in a storage closet with a shitty lock.

But that tie is one of the reasons I read the version of the binder released earlier this year in response to a Judicial Watch FOIA closely (release 1, release 2).

That is one dumbass binder. If you’re going to expose yourself and your assistants to Espionage Act prosecution, this is one dumbass document to do so over.

Having reviewed it — even with great familiarity with the unending ability of certain frothers to get ginned up over these things — I cannot believe how many people remain obsessed about this document.

The document, as released to Judicial Watch, is little more than a re-release of a bunch of files that have already been released. Perhaps the only released documents I hadn’t read closely before were memorializations that Andy McCabe wrote of conversations he had in the wake of Jim Comey’s firing with and about Trump, including the one that described Rod Rosenstein offering to wear a wire to meetings at the White House.

And because DOJ subjected the documents to a real Privacy Act review, unlike declassifications effectuated by Director of National Intelligence John Ratcliffe when Kash babysat him as his Chief of Staff, a number of the documents actually are more redacted than previous versions, something that will no doubt be a topic of exciting litigation going forward.

Mark Meadows ordered DOJ to do a Privacy Act review and as a result great swaths of documents were withheld, page after page of b6/b7C exemptions as well as b7D ones to shield confidential information.

Here’s what got released to Judicial Watch, along with links to the previous releases of the documents:

The Bruce Ohr 302s are the only documents that include much newly released materials, mostly reflecting Igor Danchenko’s subsequent public identification. Both the candidate briefing and the Carter Page FISA application include significantly more redaction (and those are not the only interesting new redactions); given the redactions, it doesn’t look like Trump contemplated disseminating any Page material that was sequestered by the FISA Court, which would have been legally problematic no matter what Trump ordered, but references to the sequestration were all redacted.

As noted above as Requests 1, 5, 6, 14, and 17, there were five things Trump asked for that were still pending at DOJ when Trump left office. Two of those are identified: A request for materials on Perkins Coie lawyers, which (DOJ informed Trump) had no tie to Crossfire Hurricane, and a request for details on an August 2016 meeting involving Bruce Ohr, Andrew Weissmann, and one other person “concerning Russia or Trump.”

There were a number of communications between Ohr, Weissmann, and others later in 2016, including communications potentially relating to an effort to flip Dmitry Firtash, as well as October 2016 communications between Ohr and McCabe. But the jumbled timeline of Ohr’s communications has often been used to insinuate that the Crossfire Hurricane team learned of the Steele allegations earlier in the investigation than the September 19 that DOJ IG reflects. In any case, some of these meetings likely touched on Oleg Deripaska and some might touch on the suspected Egyptian donation Trump used to stay in the race past September 2016, not the dossier.

Between other then-pending requests and big chunks of withheld information (I’ve noted the biggest chunks above, but it would be around 300 pages total), there are things I would have expected to see in this binder that are not there. For example, almost none of the material released as part of DOJ’s attempt to undermine the Flynn investigation (links to which are in this post) is included here. Most of that stuff constitutes information that would never normally be released. It was egregiously misrepresented by Barr’s DOJ. Some of the files were altered. If these were requested, I can think of a number of reasons it would take DOJ a while to provide the materials. Even still, though, the materials didn’t persuade Emmet Sullivan to overturn Flynn’s prosecution, and documents left out of this bunch — such as Flynn’s later 302s, including some where he obviously told the same lies he had told in January 2017, would easily rebut any claims Trump might offer with the Flynn documents.

The documentation showing Strzok learning of a Russian intelligence product claiming not very damning things about Hillary is not in here. That, too, is something that would never have been released with a normal DNI not being led around by Kash Patel and it’s one that would take DOJ a good deal of time to clear. But as I laid out here, the report came after Trump had already demonstrably started pursuing files stolen by Russia. By the time Hillary purportedly decided to call out Trump for encouraging the Russian hack, Trump was encouraging the Russian hack.

Given that Mike Rogers’ 302 from the Mueller investigation is included here, you’d expect those of Trump’s other top intelligence officials to be included as well. Dan Coats and Mike Pompeo were interviewed in the weeks after Rogers. Coats’ aide Mike Dempsey and NSA Deputy Director Rick Ledgett were also interviewed about Trump’s March 2017 effort to get the IC to deny he had a role in Russian interference, as was Trump’s one-time briefer Edward Gistaro (Gistaro was interviewed a second time in 2018, in an interview treated as TS/SCI, which likely pertained to his involvement in briefing at Mar-a-Lago during the transition). Details of these interviews show up in the Mueller Report, and his request only helps to make Trump look more guilty.

It doesn’t include materials released as part of the failed Sussmann and Danchenko prosecutions. But like Barr’s effort to overturn the Flynn prosecution, none of that evidence sustained Trump’s conspiracy theories either. Indeed, during a bench conference in the Danchenko trial, Durham fought hard to keep the substance of the discussions — ostensibly about energy investments — between Sergei Millian and George Papadopoulos starting in July 2016 out of the trial because, “it certainly sounds creepy.” The Sussmann trial showed how justified people were in wondering about Trump’s Russia ties in the wake of his “Russia are you listening” comment. It provided a glimpse of how time-consuming being a victim of a nation-state hack had been for Hillary in 2016. Durham even demonstrated that FBI badly screwed up the Alfa Bank investigation. When subjected to the rules of evidence, none of Trump’s hoax claims hold up.

The point is, nothing in this binder — particularly as released — supports Trump’s claims that the investigation into him wasn’t independently predicated and didn’t lead to really damning information implicating at least five of his top aides and his own son.

Trump keeps trying to collect some set of evidence that will make go away the far more damning ties to Russia that his National Security Advisor, his Coffee Boy, his personal lawyer, his campaign manager, and his rat-fucker all lied to hide. And in this case, it may have led Trump to do something far dumber, to defy a subpoena and hoard highly classified documents.

Which possibility only makes the dumbass Russia binder even more of a dumbass Russian binder.

Share this entry

“That’s How … You End Up as a Defendant in a Court Room:” Some Days in the Life of a Named-and-Shamed Former GRU Hacker, Ivan Ermakov

/5 Comments/in , , , /by

In early 2018, Ivan [Y]Ermakov,* one of the hackers alleged to have stolen John Podesta’s emails two years earlier, was living it up.

For his April 10 birthday that year, he went on a stunning heli-ski trip with his future co-conspirator, Vladislav Klyushin (Ermakov is on the left in this picture, Klyushin, on the right and in the Featured Image picture).

In summer 2018, they were enjoying the Sochi World Cup together, too.

Just days after this trip to Sochi, however, on July 13, 2018, Robert Mueller would indict Ermakov, along with eleven of his former GRU colleagues, for hacking the DNC, DCCC, Hillary Clinton, election vendors, and registration websites, as well as orchestrating the release of the stolen files.

By the time of that first indictment against him — the first of three known indictments against the Russian hacker so far — Ermakov had already made one of the fatal slip-ups that would form part of the proof against Klyushin at trial, this time for a hack-and-trade scam. On May 9, 2018, Yermakov received three updates from his Apple iTunes account to the IP address 119.204.194.11. Just four minutes later, someone using that IP address downloaded an SEC filing using credentials stolen from a Donnelly Financial employee named Julie Soma. That download occurred hours before the report would be publicly filed with the SEC, one of dozens of such thefts of SEC filings that formed the basis of the hacking and securities fraud charges against the men.

So months before Mueller’s indictment alerted Ermakov that the FBI had discovered who he was and that they believed he was one of the hackers behind the 2016 hack, he had already left proof in US-based servers that would tie to him to a follow-up crime, the hack-and-insider trading conspiracy for which Klyushin was convicted in February.

Klyushin has challenged the verdict, largely based on a technical challenge to the venue of the charges in Massachusetts.

Per trial testimony, Ermakov left those tell-tale forensic tracks four months before Klyushin would first get involved in the hack-and-trade scheme, in August 2018. The scheme was doomed from the start — at least, it would be doomed if any of the identified co-conspirators traveled to a jurisdiction that would extradite to the US, as Klyushin did in March 2021.

In fact, there’s something curious about that.

One thing submitted as evidence at trial was a picture of a May 22, 2017 Reuters article reporting the US sentence for Ukrainian hacker Vadym Iermolovych, one of ten people prosecuted for a hack-and-trade conspiracy similar to the one for which Klyushin was convicted.

According to the FBI agent who introduced the exhibit, the picture itself was taken in August 2018. Someone printed out the article and packaged it up in a plastic folder over a year after the fact. That suggests Klyushin was in discussion with a very well-connected friend about the possibility of such charges in the same month that Klyushin first got involved in the scheme.

The possibility of prosecution hung over the conspiracy from the start.

Thanks to Klyushin’s promiscuous storage of damning evidence in his iCloud account, from which many of the pictures and chats in this post were obtained by the FBI, the Klyushin case offers an unprecedented public glimpse into the effect that US indictments against nation-state hackers like Ermakov might have on one of the target’s lives. In Ermakov’s case, it didn’t stop him from hacking US targets. Indeed, it’s possible that others used the indictments to pressure Ermakov to use his hacking skills for them.

Since 2014, DOJ has been indicting nation-state hackers in what have always been assumed to be name-and-shame documents, indictments that would never lead to trial. Indeed, that’s what the two earlier indictments of Ermakov have always been assumed to be: a public accusation that would never lead to Ermakov’s imprisonment. The wisdom of indicting nation-state hackers has never been obvious. Yevgeniy Prigozhin’s exploitation of his own name-and-shame indictment has revealed the potential perils of the policy. And Russian denialists brush off the July 2018 indictment charging Ermakov and others with the election year hack (as Matt Taibbi did in his recent congressional testimony), arguing that since the indictment will never be tested at trial, it could be mere government propaganda.

At least in the case of the 2016 Russian operation, the indictment has done little to persuade denialists, who simply refuse to read about the many places where the hackers left evidence.

In a follow-up, I’ll show how DOJ proved their case against Klyushin using the same kind of evidence they used in the earlier indictments against Ermakov and his colleagues, largely metadata and content obtained from US-based and a few foreign servers. DOJ may never get a chance to prove the first two indictments against Ermakov, but using the same investigative techniques, they did prove the case against Ermakov’s co-conspirator, Klyushin.

This case, where a sealed complaint ultimately led to the trial of one co-conspirator of a hacker previously charged, also provides a glimpse of what happened after one nation-state hacker got name-and-shamed in the US.

It’s not clear from the trial record when Ermakov left the GRU or who his formal employer was before he joined Klyushin’s M-13, an information services company with ties to Putin’s office that offered, among its services, pen testing.

The FBI found a contact card for Igor Sladkov, with whom Ermakov may have started the hack-and-trade scheme at least as early as October 2017, in Ermakov’s own iCloud account, one of the only interesting pieces of evidence they found there. It was dated November 16, 2016, just over a week after Donald Trump got elected with Ermakov’s help. Sladkov — whose iCloud OpSec was just as shoddy as Klyushin’s — had a bunch of photos of Ermakov in his iCloud account, including the hacker’s passport, a 2016 picture of Ermakov sitting before an enormous plate of some animal flesh, and a picture from Ermakov’s 2018 ski trip, as well as a picture of Klyushin’s yacht that Ermakov had shared.

Before trial, Klyushin’s team argued that Ermakov never worked for Klyushin’s company, bolstering the claim with a chat from May 2019 in which Ermakov bitched about his job to Klyushin and a certificate from the Russian tax service claiming that [Y]Ermakov never worked at M-13.

But days after that chat, per another pre-trial filing, Ermakov spoke longingly of being able to travel like Klyushin could. Klyushin responded that he would get Ermakov new identity papers so the two could travel to Europe together, but not — Klyushin conceded — London or America. Klyushin seemingly used that discussion as background to press Ermakov to get back to work, with the implication being he should get back to the hack-and-trade scheme.

That is, Ermakov appears to have included Klyushin in the hack-and-trade scheme while still working for someone else. And Klyushin seems to have used his promise to help Ermakov mitigate the risks created by those earlier indictments to pressure Ermakov to keep hacking. If that’s right, the vulnerability created by the earlier indictments gave Klyushin leverage to get Ermakov to keep hacking.

But Ermakov did eventually join M-13, at least informally. The government introduced an M-13 employee list reflecting Ermakov’s participation in specific project at trial. And they submitted a picture, from December 2019, showing Ermakov with an M-13 sticker, within days of the time when a staging server similar to the one used in the 2016 hack of the Democrats was set up.

Klyushin may have even incorporated Sladkov into M-13. The FBI found a proposal for a data analysis service, dated September 4, 2019, which M-13 would introduce on October 28, 2020, as well as encrypted communications from an M-13 chat application, in Sladkov’s iCloud account.

Klyushin fought hard to exclude one of the most telling pieces of evidence that the hacking scheme came to be tied to M-13 — the four Porsches that, Klyushin bragged to an investor, he had bought for himself, Ermakov, and one other co-conspirator with the proceeds of the insider trading.

But this currency — expensive gifts — seems to have been at least part of the way Erkamov was compensated for his role in the scheme.

Ermakov did not engage in any trading himself. Instead, two men in St. Petersburg, two associated with M-13 (including Klyushin himself), and three clients of M-13, profited off documents [Y]Ermakov seems to have stolen.

But in addition to the Porsche, on August 17, 2020, ten days before the delivery of the Porsches, Ermakov took possession of a Moscow house worth millions, the loan agreement for which Klyushin reportedly ripped up. Months earlier, Klyushin had tied paying for the house with continued hacking — which, Klyushin joked, amounted to just turning on the computer and thinking about making money.

Ermakov was effectively printing money for Klyushin, and his reward was that house.

In September 2020, the hack-and-trade scheme would be shut down for good.

Throughout the time it was going, however, those co-conspirators knew of the indictment against Ermakov. Sladkov downloaded Ermakov’s wanted poster from the FBI website on October 5, 2018, just a day after Ermakov was charged in the 2016 hack-and-leak of anti-doping agencies while Ermakov was still a GRU officer.

And on October 4, 2020, Klyushin took a screencap of Ermakov’s wanted poster from the FBI website.

By the time Klyushin took this screencap, the victim filing agencies had finally shut down Ermakov’s access to the site, after eight months of trying. Perhaps Klyushin was contemplating what that would mean or how it had happened? According to trial evidence, DOJ didn’t identify the hack-and-trade scheme by tracking what Ermakov was doing. Rather, the investigation started when the SEC started tracking some large-scale trading by a bunch of Russians together, then asked the filing agencies if they had been hacked. At least according to the public record, the involvement of Ermakov was disclosed only after working backwards from the forensic evidence. But in October 2020, Klyushin may have considered the risks of entering into a hack-and-trade scheme with a hacker whose habits were already known within the FBI.

By then it was too late. Indeed, Ermakov had already warned his boss about his shoddy OpSec. On July 18, 2019, Kluyshin asked Ermakov and the other M-13 co-conspirator Nikolai Rumiantcev how the hack-and-trade was going. He included pictures of two of the M-13 investors. In response, Ermakov warned his boss that that kind of OpSec is the kind of thing that would land him as a defendant in a courtroom.

Q. Okay, thank you. And now can we move to 3980, please. And this date is?

A. This is July 18 of 2019.

Q. Would you begin with 3980.

A. “Vladislav Klyushin: So what did we earn today?”

Q. And then there’s an attachment?

A. Correct.

Q. And then he says what?

A. Ermakov responds: “About 350 and another 350 in the mind. Sasha the most among the rest. “Klyushin: Our comrades are wondering.”

MR. FRANK: Could we stop right there, and I realize it’s hard, Ms. Lewis, because we’re in the Excel, but could you please display Exhibits 52 and Exhibit 50.

Q. Those are the attachments, Special Agent. Have you had an opportunity to review those?

A. Yes.

Q. Who’s depicted in Exhibits 52 and 50?

A. On the left, 52 is Sergey Uryadov. On the right is Boris Varshavksiy in Exhibit 50.

MR. FRANK: I offer 52 and 50. (Exhibits 50 and 52 received in evidence.)

Q. Okay. So those are the two attachments Mr. Klyushin has just transmitted in the chat?

A. Yes.

Q. Can we go back to the chat and pick up where we left off. So Mr. Klyushin says, “What did we earn today? Our comrades are wondering.” Could you continue, please, at 3987.

A. After sending those pictures we just looked at, Ermakov replies: “Vlad, you are exposing our organization. This is bad.” Nikolai Rumiantcev: Vlad, stop sending to Threema.” Klyushin replies, “So sorry.” “Ermakov: And that’s how they get you and you end up as a defendant in a courtroom.”

Q. How does Mr. Klyushin respond?

A. Klyushin responds, “Removed. Open a chat with us already. “Ermakov: Go ahead and create. It was a bad move now. “Klyushin: Sorry. Did a dumb thing. “Rumiantcev: I suggest to recreate the chat with the deletion of attachments in Threema, or switch to ours if ready. “Klyushin: I will delete this one on my end.”

Klyushin did delete this chat. Rumiantcev left it in his iCloud account, where the FBI found it.

At the time, the men appear to have been shifting their trading discussions to the encrypted M-13 chat application found in all their iCloud accounts, finally taking measures to cover their tracks going forward, over eighteen months into the hack-and-trade conspiracy. Going forward, those working with Ermakov might not exhibit the kind of abysmal OpSec that produced abundant trial evidence against his co-conspirator. Maybe they learned their lesson, and they’ll be able to exploit Ermakov’s skill more safely going forward.

It remains to be seen whether the prosecution of Klyushin, with his ties to high even higher ranking Russians, does more than hold him accountable for millions in fraudulent trades. But that may have little effect on the life of John Podesta’s suspected hacker.

* The government has used two different transliterations for [Y]Ermakov’s last name. In 2018, they used the one that aids in pronunciation. In 2021, they used the direct transliteration from the Cyrillic. Because evidence submitted at Klyushin’s trial uses the initials “IE” to refer to Ermakov, I’ll adopt that spelling here.

Share this entry

On Joshua Schulte’s Alleged Substantial Amount of CSAM … and Other Contraband

/20 Comments/in , , /by

Yesterday, Judge Jesse Furman docketed a letter, impossibly dated March 23, updating him on the investigation into the Child Sexual Abuse Material allegedly found on WikiLeaks Vault 7 source, Josh Schulte’s discovery computer, six months ago (see this post for an explanation).

It described more about the CSAM material found on Schulte’s computer: The FBI had found “at least approximately 2,400 files on the laptop … likely containing CSAM.”

With respect to assertions that Joshua Schulte, the defendant, has made about the discovery laptop—that the laptop does not contain CSAM, that any CSAM appears only in thumbnails, or that the CSAM was maliciously or inadvertently loaded onto the laptop by the Government. See, e.g., D.E. 998 at 3 (pro se letter to the Court dated Dec. 21, 2022), 5 (pro se letter to the Court dated Jan. 5, 2023)—the Government is able to confirm the following: at least approximately 2,400 files on the laptop have been identified to date as likely containing CSAM. Those files include full images, and are not limited to thumbnail images. Moreover, the Government did not copy discovery materials onto the defendant’s laptop. In 2021, former defense counsel copied discovery and trial materials onto the laptop, which was then reviewed by personnel from the U.S. Attorney’s Office for security compliance before making a file index and providing the laptop to the Metropolitan Correctional Center (“MCC”), where the defendant was then in custody. The CSAM on the laptop was not provided by the Government or the result of Government action.

That, by itself, doesn’t tell us a lot more than we learned in an October filing, which explained that the FBI had found, “a substantial amount” of suspected CSAM.

Indeed, the letter focuses on debunking two counterarguments Schulte has made since, which is one of the reasons Furman docketed it after DOJ submitted it ex parte: “[T]his letter responds directly to assertions by Mr. Schulte,” Furman observed.

The government was debunking a claim made by Schulte that the government had caused the CSAM — but only thumbnails — to be loaded onto his discovery computer by “connect[ing] a child pornography drive to the laptop during setup.”

Schulte repeated and expanded — at great, great length — that theory in a set of filings dated March 1 but just loaded to the docket today.

The government response, effectively, was that they made an index of the files as the computer existed when it was turned over to MCC in 2021, calling Schulte on his claim that he was framed with CSAM.

Ultimately both sides will be able to present their claims to a jury.

But there are several other reasons I’m interested in the letter and related issues.

The government’s working theory when they first revealed this last fall, was that Schulte got a thumb drive into the SCIF and from that accessed the CSAM allegedly found on his home computer six years ago, presumably just to have it in his cell for his own further exploitation of children.

there is reason to believe that the defendant may have misused his access to the SCIF, including by connecting one or more unauthorized devices to the laptop used by the defendant to access the CSAM previously produced.

That’s because in August, they found a thumb drive attached to the SCIF laptop.

On or about August 26, 2022, Schulte was produced to the Courthouse SCIF and, during that visit, asked to view the hard drive containing the Home CSAM Files from the Home Desktop. The hard drive was provided to Schulte and afterwards re-secured in the dedicated safe in the SCIF. The FBI advised the undersigned that, while securing the hard drive containing the Home CSAM Files, they observed that an unauthorized thumb drive (the “Thumb Drive”) was connected to the SCIF laptop used by Schulte and his counsel to review that hard drive containing the Home CSAM Files. On or about September 8, 2022, at the Government’s request, the CISO retrieved the hard drive containing materials from the Home Desktop from the SCIF and returned it to the FBI so that it could be handled pursuant to the normal procedures applicable to child sexual abuse materials. The CISO inquired about what should be done with the Thumb Drive, which remained in the dedicated SCIF safe.

But in a little noticed development, during the period when FBI has been investigating how a defendant held under SAMs managed to get (we’re now told) 2,400 CSAM files onto his discovery computer, CNN reported that the network of FBI’s NY Field Office focused on CSAM had been targeted in a hacking attempt.

The FBI has been investigating and working to contain a malicious cyber incident on part of its computer network in recent days, according to people briefed on the matter.

FBI officials believe the incident involved an FBI computer system used in investigations of images of child sexual exploitation, two sources briefed on the matter told CNN.

“The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.”

FBI officials have worked to isolate the malicious cyber activity, which two of the sources said involved the FBI New York Field Office — one of the bureau’s biggest and highest profile offices. The origin of the hacking incident is still being investigated, according to one source.

DOJ still insists that former CIA hacker Josh Schulte found a way to access a whole bunch of CSAM. And in the same period, reportedly, the servers involved with CSAM investigation in the NYFO were hacked.

And while the letter released yesterday doesn’t tell us — much — that’s new about what Schulte allegedly had on his laptop, it does tell us, by elimination, which of the sealed filings in his docket are not related to the CSAM investigation.

Since the October update on the investigation into Schulte, sealed documents have been filed in Schulte’s docket on the following days:

  • December 15: Sealed document
  • January 19: Ex parte update on CSAM investigation
  • January 26: Sealed document
  • March 9: Sealed document
  • March 13: Sealed document

Only the January 19 letter — along with yesterday’s letter — have been unsealed. That, plus the flurry of filings in September and October, are it for the CSAM investigation. There’s something else going on in this docket, four sealed documents worth.

Indeed, in those very long set of filings mentioned above, both dated February and finalized March 1, both docketed today, Schulte alluded to something beyond CSAM.

Judge Furman has begun claiming that there are other vague misuses or misbehavior on the laptop.

He must not have read the September and October letters very closely, because they describe there was a warrant that preceded the discovery of the CSAM.

The warrants that we know of include the following:

Since late September, this investigation was about the “substantive” amounts of CSAM found on a computer possessed by Schulte.

But before that it was based on suspicions of contraband.

That stems, in significant part, from a search of the computer DOJ did in June, when Schulte turned it over claiming it had been dropped.

It hadn’t been dropped. It needed to be charged. Indeed, in the interminable motions filed today, Schulte treated plugging in a laptop as some kind of due process violation.

Plugging in a laptop should in no way compromise the privacy of a laptop. But it did raise real questions about the excuse Schulte offered in an attempt to get a second laptop (one he effectively got once trial started anyway).

Needless to say, his description of what happened with the BIOS password differs from the government’s, as provided last June.

First, with respect to the defendant’s discovery laptop, which he reported to be inoperable as of June 1, 2022 (D.E. 838), the laptop was operational and returned to Mr. Schulte by the end of the day on June 3, 2022. Mr. Schulte brought the laptop to the courthouse on the morning of June 3 and it was provided to the U.S. Attorney’s Office information technology staff in the early afternoon. It appears that the laptop’s charger was not working and, after being charged with one of the Office’s power cords, the laptop could be turned on and booted. IT staff discovered, however, that the user login for the laptop BIOS1 had been changed. IT staff was able to log in to the laptop using an administrator BIOS account and a Windows login password provided by the defendant. IT staff also discovery an encrypted 15-gigabyte partition on the defendant’s hard drive. The laptop was returned to Mr. Schulte, who confirmed that he was able to log in to the laptop and access his files, along with a replacement power cord. Mr. Schulte was admonished about electronic security requirements, that he is not permitted to enable or use any wireless capabilities on the laptop, and that attempting to do so may result in the laptop being confiscated and other consequences. Mr. Schulte returned to the MDC with the laptop. [my emphasis]

Here’s more background on all the funky things that happened with this laptop that led me to suspect something was going on last summer.

Anyway, the government claims it found a whole bunch of CSAM on Schulte’s computer. But there’s also something else going on.

We may find out reasonably soon. The impossibly dated filing from this week promised an update in a week, which (if the impossibly dated filing was actually dated March 21) might be Tuesday.

The Government expects to provide the Court with a supplemental status letter in approximately one week.

At the same time that CIA hacker Josh Schulte was allegedly finding a way to load CSAM onto his discovery laptop, the local FBI office’s CSAM servers were hacked.

That might be a crazy coincidence.

Update: DOJ filed an ex parte update today, which may or may not have to do with the CSAM investigation.

Share this entry

Remember: DOJ May Still Suspect Trump Is Hoarding Classified Documents

/81 Comments/in , , /by

When I wrote up initial reports of Christina Bobb’s first interview with investigators in the stolen documents case, I noted,

Bobb’s testimony will clarify for DOJ, I guess, about how broadly they need to get Beryl Howell to scope the crime-fraud exception.

Here we are five months later, and Beryl Howell has indeed, very predictably, scoped out the crime-fraud exception for Evan Corcoran’s testimony and the DC Circuit has refused Trump’s request of a stay to fight that ruling.

In fact, ABC reported a list of the things that Judge Howell ruled Evan Corcoran must share with Jack Smith’s prosecutors, the scope I predicted she’d draw up five months ago.

As you read it, keep in mind that DOJ likely suspects that Trump still is hoarding classified documents. I say keep that in mind, because these questions will help to pinpoint the extent to which Trump or Boris Epshteyn masterminded efforts last June to hide classified documents, which may help DOJ to understand whether someone has masterminded efforts to hide remaining classified documents since.

The six things Corcoran has been ordered to testify about, per ABC, are:

  1. “[T]he steps [Corcoran] took to determine where documents responsive to DOJ’s May subpoena may have been located”
  2. Why Corcoran “believed all documents with classification markings were held in Mar-a-Lago’s storage room”
  3. “[T]he people involved in choosing Bobb as the designated custodian of records for documents that Trump took with him after leaving the White House, and any communications he exchanged with Bobb in connection with her selection”
  4. “[W]hether Trump or anyone else in his employ was aware of the signed certification that was drafted by Corcoran and signed by Trump attorney Christina Bobb then submitted in response to the May 11 subpoena from the DOJ seeking all remaining documents with classified markings in Trump’s possession”
  5. “[W]hether Trump was aware of the statements in the certification, which claimed a “diligent search” of Mar-a-Lago had been conducted, and if Trump approved of it being provided to the government”
  6. What Corcoran “discussed with Trump in a June 24 phone call on the same day that the Trump Organization received a second grand jury subpoena demanding surveillance footage from Mar-a-Lago that would show whether anyone moved boxes in and out of the storage room

Questions 1 and 2 are a test of whether Corcoran wrote the declaration that Christina Bobb signed on June 3 in good faith. Given the fact that boxes were moved out of the storage room, it’s quite plausible that Corcoran did do a good faith search of the remaining boxes. So the answer to question 2 — why did he think all the classified documents were in that room? — will help pinpoint who has criminal liability for that obstructive act. Someone told him only to search the storage room and he took Jay Bratt to that storage room on June 3 and falsely (but likely unwittingly) told them that’s where all the classified documents would have been stored. Who told him that was true?

Questions 4 and 5 go to Trump’s awareness of the attempt to mislead DOJ on June 3. Did he know about the signed certification, and if so was Trump aware that Corcoran and Bobb had, between them, claimed the search of a storage room out of which boxes had been moved amounted to a diligent search? Since he reportedly ordered Walt Nauta to move boxes out of there, does that mean he knew the declaration was false?

Question 3 is more interesting though: The fact that Corcoran wouldn’t sign the certification himself is testament that he had doubts about the search he did himself or, at least, that someone knew enough to protect him. Per reporting from after she spoke to investigators the first time (see this post), Boris Epshteyn contacted Bobb the night before the search to serve the role she played.

She told them that another Trump lawyer, Boris Epshteyn, contacted her the night before she signed the attestation and connected her with Mr. Corcoran. Ms. Bobb, who was living in Florida, was told that she needed to go to Mar-a-Lago the next day to deal with an unspecified legal matter for Mr. Trump.

When she showed up the next day, Bobb complained that she didn’t know Corcoran, which is one of the reasons she wisely caveated the document before signing it.

“Wait a minute — I don’t know you,” Ms. Bobb replied to Mr. Corcoran’s request, according to a person to whom she later recounted the episode. She later complained that she did not have a full grasp of what was going on around her when she signed the document, according to two people who have heard her account.

And Bobb wasn’t the custodian of records. Someone decided to have someone unaffiliated with the Office of the Former President sign as custodian of records, thereby protecting Trump’s legal entity — the one served with the subpoena — from liability for the inadequate response.

She was, however, someone who — like Boris Epshteyn — likely has significant exposure for January 6, and even (per her testimony to January 6 Committee) witnessed Trump’s call to Brad Raffensperger.

But either Corcoran knew or suspected his own search was inadequate, or someone built in plausible deniability for him. DOJ may find out which it was on Friday.

As noted, this may help DOJ understand what has happened since Bobb’s initial testimony. Reports of her testimony came in the same days as initial reports that DOJ had told Trump they believed he still had classified records. Both Bloomberg and NYT described the tensions that arose among Trump’s lawyers as a result, with some objecting to any further certification.

Christopher M. Kise, who suggested hiring a forensic firm to search for additional documents, according to the people briefed on the matter.

But other lawyers in Mr. Trump’s circle — who have argued for taking a more adversarial posture in dealing with the Justice Department — disagreed with Mr. Kise’s approach. They talked Mr. Trump out of the idea and have encouraged him to maintain an aggressive stance toward the authorities, according to a person familiar with the matter.

That was in October. In November, Merrick Garland appointed Jack Smith. In late November, Trump hired Tim Parlatore to do the search Kise had recommended over a month earlier. The search found, and returned to DOJ, two documents with classification markings found in a separate storage facility.

But even as Trump lawyers were dribbling out details of the result of that search, they were hiding at least two more details: that a Trump aide had been carting around — and had uploaded via the cloud — White House schedules that included once-classified information. And, Parlatore’s searchers had discovered, there was another empty classified folder on Trump’s bedside table that hadn’t been discovered in the August search. Whether willful or not, both likely show that additional documents with classification markers were brought back to Mar-a-Lago after the August search.

Since the time in December DOJ tried to hold Trump in contempt for refusing to comply with the May subpoena, they have chased down the box of schedules and the computer to which they were uploaded and subpoenaed the extra empty classified folder. They have interviewed the people who did the search, as well as the lawyers that Boris Epshteyn was giving orders. Significantly, they also interviewed Alina Habba, whose own search of Mar-a-Lago for documents responsive to Tish James’ subpoena had obvious gaps, most notably the storage closet full of documents where a bunch of classified documents were being stored. And finally, after five months, they will answer the questions first made obvious after Bobb’s initial interview in October: what Trump told Corcoran to get him to do an inadequate search.

Which brings me to Question 6: What Trump said to Corcoran after he received a subpoena for security footage that Trump knew — but Corcoran may not have known — showed Walt Nauta moving boxes that would thereby be excluded from the search Corcoran had done in May and June. Since this was a call, it may well be one of the things about which Corcoran took notes or even a recording that he later transcribed. Also recall that there was a discrepancy as to the date of the subpoena (as well as whether Trump greeted Jay Bratt and others when they were at MAL) when the search was originally revealed last year, a discrepancy that led me to suspect DOJ first served a subpoena on Trump’s office and only then served a subpoena on Trump Organization. June 24 may have been the first date that Corcoran became aware that his representations about the search for documents was incomplete.

Here’s the point, though. Trump played a shell game in advance of the search that Corcoran did last summer. Alina Habba’s declaration, on its face, reflects a shell game. There’s reason to believe — given the box containing additional documents marked classified and the empty classified folder — that Trump played another shell game when Parlatore’s investigators searched in November and December. And Howell reportedly also approved a crime-fraud waiver for Jennifer Little, a lawyer representing Trump in conjunction with the Georgia investigation.

If Corcoran does testify tomorrow, it may crystalize DOJ’s understanding of that shell game, at least. Not only will that help DOJ understand if another shell game, one involving Parlatore, managed to hide still more documents in November and December. But it may help to understand any other shell games Trump engaged in in NY and GA.

It may also finally provide the basis to hold Trump in contempt for withholding further documents.

Share this entry

Just for Perspective: Investigations Take Longer When Presidents Don’t Wiretap Themselves

/31 Comments/in , , /by

A few weeks ago, Peter Baker marked the day that the January 6 investigation has taken as long as the time between the burglary to Nixon’s resignation.

I reacted poorly to Baker’s claim to offer perspective; even on past presidential investigations, he has been overly credulous. And there’s really no comparison between Watergate and January 6, particularly if one compares — as Baker does — time-to-resignation under a still-sane Republican party with time-to-indictment in the MAGAt era. The comparison offers no perspective.

But I thought I’d take Baker up on the challenge, because the Watergate investigation offers a worthwhile way to demonstrate several of the reasons why the January 6 investigation is so much harder. (I plan to make running updates of this post because I expect feedback, particularly from people who know the Watergate investigation better than me, will help me fine tune this explanation.)

Same day arrests

In Watergate, the burglars were arrested in the act of breaking into the DNC headquarters.

On January 6, the cops tried to (and in a relative handful of cases, did) arrest people onsite. But this is the challenge they faced when they tried: Every attempted arrest required multiple officers to focus on one individual rather than the mob of thousands poised to invade the Capitol; every arrest was a diversion from the effort to defend the Capitol, Mike Pence, and members of Congress, with a woefully inadequate force.

In the case pictured above, the cops made a tactical decision to let Garret Miller go. After assuring the cops he only wanted to go home, just 33 minutes later, Miller burst through the East door with the rest of the mob.

There wasn’t a great delay in arrests of January 6 rioters, though. Nicholas Ochs, the first Proud Boy arrested, was arrested on January 7 when his flight home from DC landed in Hawaii.

Q-Shaman Jacob Chansley was arrested on January 8. The first person who would be convicted of a felony by a jury, Guy Reffitt, was arrested on January 15 (his son had tipped the FBI about him before the attack). The first person known to later enter into a cooperation agreement, Jon Schaffer, was arrested on January 17. Miller, pictured above, was rearrested January 20. VIP Stop the Steal associates Brandon Straka and Anthime “Baked Alaska” Gionet — the former of whom did provide and the latter of whom likely provided useful information on organizers to earn misdeamenor pleas — were arrested on January 25 and January 17, respectively. Joe Biggs — now on trial for sedition and an utterly critical pivot between the crime scene and those who coordinated with Trump — was arrested January 20, the same day that Joe Biden would, under tight security, be sworn in as President, the same day Steve Bannon’s last minute pardon was announced.

Kelly Meggs, the Oath keeper who facilitated cooperation among three militias who was convicted with Stewart Rhodes of sedition last November, was arrested on an already growing conspiracy indictment on February 19.

In the first month then, DOJ had already taken steps in an investigation implicating those who worked with Trump. The table below includes the arrests of some of the witnesses who will have an impact on an eventual Trump prosecution. There are others that I suspect are really important, but their role is not yet public.

Trial delays

The Watergate burglars didn’t go to trial right away. They were first indicted on September 15, 1972, 90 days after their arrest. Those who didn’t plead out went on trial January 8, 1973, 205 days after their arrest. Steps that John Sirica took during that trial — most notably, refusing to let the burglars take the fall and reading James McCord’s confession publicly — led directly to the possibility of further investigation. Nixon wouldn’t even commit his key crimes for over two months, in March.

That’s an important reminder, though: the Watergate investigation would have gone nowhere without that trial. That’s unsurprising. That’s how complex investigations in the US work.

Many people don’t understand, though, that there were two major delays before anyone could be brought to trial for January 6. First, COVID protocols had created a backlog of trials for people who were already in pretrial detention and for about 18 months, would limit the number of juries that could be seated. Efforts to keep grand jury members safe created similar backlogs, sometimes for months. In one conspiracy case I followed, prosecutors were ready to supersede several defendants into a conspiracy in April 2021, but did not get grand jury time to do so until September.

To make that bottleneck far, far worse, the nature of the attack and the sheer volume of media evidence about the event led DOJ to decide — in an effort to avoid missing exculpatory evidence that would undermine prosecutions — to make “global production” to all defendants. That required entering into several contracts, finding ways to package up media that started out in a range of different formats, getting special protective orders so one defendant wouldn’t expose personal details of another (though one defendant is or was under investigation for doing just that), then working with the public defenders’ office to effectively create a mirror of this system so prosecutors would have no access to defense filings. It was an incredibly complex process necessitated by the thing — the sheer amount of evidence from the crime scene — that has made it possible to prosecute so many of the crime scene culprits.

Here’s one of the memos DOJ issued to update the status of this process, one of the last global updates. Even at that point over a year after the attack, DOJ was just starting to move forward in a few limited cases by filling in what remained of discovery.

The first felony trial coming out of January 6 was that of Guy Reffitt, which started on March 3, 2022, a full 420 days after the event. Bringing him to trial that was made easier — possible even — because Reffitt never went into the Capitol itself, so didn’t have to wait until all global discovery was complete, and because there were several witnesses against him, including his own son.

The delays in discovery resulted in delays in plea deals too, as most defense attorneys believed they needed to wait until they had seen all of the discovery to make sure they advised their client appropriately.

Lots of people thought this process was unnecessary. But the decision to do it was utterly vindicated the other day, as DOJ started responding to defendants claiming that Tucker Carlson had found video that somehow proved their innocence. As I noted, prosecutors were able to point to the video shown by Tucker Carlson that he said vindicated Jacob Chansley and describe specifically when an unrelated defendant, Dominic Pezzola, had gotten what was effectively Chansley’s discovery.

The footage in question comes from the Capitol’s video surveillance system, commonly referred to as “CCTV” (for “closed-circuit television”). The Court will be familiar with the numerous CCTV clips that have been introduced as exhibits during this trial. The CCTV footage is core evidence in nearly every January 6 case, and it was produced en masse, labeled by camera number and by time, to all defense counsel in all cases.3 With the exception of one CCTV camera (where said footage totaled approximately 10 seconds and implicated an evacuation route), all of the footage played on television was disclosed to defendant Pezzola (and defendant Chansley) by September 24, 2021.4 The final 10 seconds of footage was produced in global discovery to all defense counsel on January 23, 2023. Pezzola’s Brady claim therefore fails at the threshold, because nothing has been suppressed. United States v. Blackley, 986 F. Supp. 600, 603 (D.D.C. 1997) (“For an item to be Brady, it must be something that is being ‘suppress[ed] by the prosecution.’”) (quoting Brady v. Maryland, 373 U.S. 83, 87 (1963)).

While discovery in this case is voluminous, the government has provided defense counsel with the necessary tools to readily identify relevant cameras within the CCTV to determine whether footage was produced or not. Accordingly, the volume of discovery does not excuse defense counsel from making reasonable efforts to ascertain whether an item has been produced before making representations about what was and was not produced, let alone before filing inaccurate and inflammatory allegations of discovery failures.

You may think the thirteen month delay for discovery was a waste of time. But it just prevented Tucker Carlson from being able to upend hundreds of prosecutions.

Obviously, most of the trials that have occurred in the last year won’t directly lead to Trump. Some will. I’ve said for 22 months that I think the Proud Boy trial is critical — and that won’t go to the jury for another two or three weeks yet. There are a number of steps that, I suspect, DOJ has been holding on pending the results of that trial, because so much else rides on it.

The Stewart Rhodes trial was likely helpful. I’ve suggested DOJ may use Danny Rodriguez as a way to tie Trump and Rudy Giuliani to the near-murder of Michael Fanone on an aid-and-abet theory. And there are a few more sleeper cases that seem to have greater significance than what went on at the Capitol that day.

Update: On May 4, 2023, a jury found four of the five Proud Boy leaders guilty of sedition. This trial was an important precursor for other investigative steps.

The legal uncertainty

In the Nixon case, there were fairly well established crimes: burglary, and obstruction of a criminal investigation.

I won’t say too much on this point, because I already have. But in this case, prosecutors were (and undoubtedly still are) trying to apply existing statute to an unprecedented event. One law they’ve used with a lot of the rioters — civil disorder — was already being appealed elsewhere in the country when prosecutors started applying to the January 6. Since then its legal certainty has been all-but solidified.

Far more importantly, the way prosecutors have applied obstruction of an official proceeding, 18 USC 1512(c)(2), has been challenged (starting with Garret Miller–the guy in the aborted arrest photo above) for over a year. That’s precisely the crime with which the January 6 Committee believes Trump should be charged (I advocated the same before their investigation even started in earnest); but I’m not sure whether Jack Smith will wait until the appeals on the law get resolved.

Still, DOJ has spent a great deal of time already trying to defend the legal approach they’ve used with the investigation.

Update: On April 7, the DC Circuit reversed Carl Nichols, holding that 18 USC 1512(c)(2) does not require a documentary component. That opinion raised new questions about the meaning of “corrupt purpose” under the statute. The Circuit rejected Fischer’s request for a rehearing, clearing the possibility of an appeal to SCOTUS. On May 11, the DC Circuit heard Thomas Robertson’s challenge to the same statute. Its decision in that case will almost certainly be the first DC Circuit ruling on “corrupt purpose” under the statute.

The insider scoop

For all the delays in setting up the January 6 Committee, it (and an earlier Senate Judiciary Committee inquiry into Jeffrey Clark’s efforts to undermine the vote) got started more quickly than Sam Ervin’s committee, which first started 11 months after the burglary.

Yet it only took Ervin’s Senate investigators about two months to discover their important insider, whose testimony would provide critical to both Congressional and criminal investigators. On July 13, 1973, Alexander Butterfield first revealed the existence of the White House taping system.

For all the January 6 Committee’s great work, it wasn’t until her third interview, on May 17, 2022, before Cassidy Hutchinson began to reveal more details of Trump’s unwillingness to take steps against his supporters chanting “Hang Mike Pence.” Even Hutchinson’s remarkable public testimony on June 28, 2022, when she described Trump demanding that his supporters be allowed to enter the Ellipse rally with the weapons Secret Service knew them to be carrying, is not known to have provided the kind of Rosetta stone to the conspiracy that disclosure of Nixon’s White House taping system did. In later testimony, Hutchinson provided key details about a cover-up. And her testimony provided leverage for first J6C and then, in at least two appearances, grand jury testimony from Pat Philbin and Pat Cipollone, the latter appearance of which came with an Executive Privilege waiver on December 2, 2022, 23 months after the attack.

Cell-xploitation

This brings us to the biggest difference in the timeline. Once the Senate and prosecutors learned that Nixon had effectively wiretapped himself, it turned the investigation into a fight over access to those materials.

The parts of the draft Nixon indictment that have been released describe a fairly narrow conspiracy. The proof against Nixon would have comprised, in significant part:

  • The report John Dean did disclaiming a tie to the break-in
  • Proof of payments to Howard Hunt
  • White House recordings, primarily from several days in March 1973, proving that Nixon had the payments arranged

That is, in addition to the James McCord confession and John Dean’s cooperation, any charges against Nixon relied on recordings Nixon himself had made, the import of which were made all the more salient with the disclosure of the 18-minute gap.

One thing likely made the January 6 prosecution easier: The sheer amount of data available to prosecutors using subpoenas. We have yet to see any of that with regards to organizers (though we know that Denver Riggelman, with far weaker subpoena power, was able to do a detailed map of ties between Trump, organizers, and mobsters).

There will undoubtedly be a great deal of evidence obtained from cloud companies. The only hint of this process we know about yet involves the emails from Jeffrey Clark, Ken Klukowski, John Eastman, and one other person, who is not a lawyer. DOJ had obtained emails from them with a warrant by last May. They have undoubtedly done the same for dozens of other subjects (beyond those arrested from the crime scene, where they have done so as well), but we won’t know about it until we see it in indictments.

But even that is not always easy. DOJ has spent seven months so far getting Peter Navarro to turn over emails from his Proton Mail account covered by the Presidential Records Act. Judge Colleen Kollar-Kotelly just issued an order requiring him to turn the emails over, but it’s not clear whether he’ll further obstruct this effort to simply enforce his normal record-keeping obligations.

But one challenge that didn’t exist fifty years ago makes prosecutors jobs much harder: the need to obtain and exploit individual cell phones to obtain encrypted communications — things like Signal and Telegram chats — not otherwise available. In Enrique Tarrio’s case, simply breaking into the phone took most of a year. In Rudy Giuliani’s case (his phones were first obtained in the Ukraine investigation starting on Lisa Monaco’s first day on the job, but the results would be available with a separate warrant here), it took a nine month Special Master review. In Scott Perry’s case, his speech and debate claims will be appealed to SCOTUS. The table below shows whose phones we know to have been obtained, including how long it took to exploit the phones to the extent that became public (It does not show known cloud content obtained; much of that remains secret.)

The point being, even for the Proud Boys and Oath Keeper cases, you had to get one phone, use it to get probable cause on the next guy, then get his phone to use it to get probable cause on the next guy. This process is very obviously at the stage where both Alex Jones and Roger Stone would be in prosecutors’ sights, as well as much of the fake elector plot. But that’s still several steps away from people like Mark Meadows, who would necessarily be involved in any Trump prosecution.

Privilege

When DOJ subpoenaed the two Pats last summer, multiple media outlets reported that subpoenaing the White House counsels was particularly “aggressive.”

Two top lawyers who worked in the White House under former President Donald Trump have been subpoenaed to appear before a federal grand jury investigating the events leading up to the Jan. 6, 2021, attack on the Capitol, people familiar with the matter said, in the latest sign that the Justice Department’s probe is entering a more aggressive phase.

Mr. Trump’s White House counsel Pat Cipollone and his deputy Pat Philbin received subpoenas in recent days seeking documents and testimony, the people said. [my emphasis]

But as coverage of, first, Mike Pence’s two aides and, then, the two Pats being compelled to testify about topics Trump had claim was privileged noted, it’s not actually a new or particularly aggressive thing to ask White House counsels to testify. Indeed, John Dean’s cooperation — the most important part of holding Nixon accountable — arose after he had gotten himself deeper and deeper into Nixon’s cover-up.

And in spite of the Nixon precedent that said there were limits to Executive Privilege, and in spite of the DC Circuit ruling that the import of investigation January 6 overcame Trump’s Executive Privilege claims, even with Congress, Trump has used — and DOJ has been obligated to navigate — a series of privilege claims to delay the investigation.

As I’ve noted, there are close to thirty key witnesses or subjects whose attorney-client claims have to be carefully addressed to avoid blowing both that case and those of any downstream investigation.

In the case of Scott Perry, DOJ has spent six months trying to get into his phone. That delay is not a sign of lassitude. On the contrary, it’s a sign they’re including subjects who very rarely get investigated in the investigation.

Update: On April 21 and 22, seven-plus months after DOJ seized his phone (which is often how long exploitation takes), Boris Epshteyn spent two days interviewing with Jack Smith’s prosecutors though not — at least by description — appearing before the grand jury. He played a key role in both January 6 and the stolen documents case.

Cooperating witnesses

According to this timeline, John Dean started cooperating on April 6, 1973, almost ten months after the arrest of the burglars, though just a few weeks after the day of Nixon’s crimes as alleged in the draft indictment.

As noted on this table, there were people who entered into cooperation agreements more quickly than that, but it’s not clear who of them will help prosecute those closer to Trump. As I keep noting, I’m really dubious of the value of Brandon Straka’s cooperation.

There are maybe 30 to 35 known known cooperators in January 6, but most only cooperated against their buddies, and most of those prosecutions didn’t much build prosecutions related to Trump.

This table only includes a few of the cooperating witnesses — the first (Schaffer, the nature of whose cooperation is still totally obscure), the dubious cooperation of Straka and, potentially, Gionet, the most important of at least five Proud Boy cooperators, Jeremy Bertino, and the most important of at least eight Oath Keeper cooperators, Joshua James.

James, along with a few of the other Oath Keeper cooperators, might help prosecute Roger Stone. But there is no one on this list who has the goods on Trump, like John Dean did. No one even close.

That said, we wouldn’t necessarily know if someone closer to Trump were cooperating. Even some people who are secondary cooperators remain entirely obscure, both that they are cooperating, and the extent of their knowledge. I suspect several people are cooperating — I even have specific people in mind, based on other details. But we won’t know anytime soon if someone has flipped on Donald Trump.

And given the ferociousness of his supporters and the aggressiveness of Trump’s obstruction that’s a good thing.

Update, May 26: I’ve updated the table below to reflect the Oath Keeper sentences and the Proud Boy verdict.

Share this entry

KT McFarland Likened Trump’s Transition Interventions to the Iran October Surprise

/30 Comments/in , , /by

In an FBI interview on September 14, 2017, KT McFarland likened Mike Flynn’s transition period interference with Obama policy to Richard Nixon’s Chennault Affair and what she called Reagan’s “purported dealings with Iran to free American hostages.”

Based on her study of prior presidential transitions, McFarland believed the sorts of things Flynn did were not unusual. She cited Richard Nixon’s involvement in Vietnam War peace talks and Ronald Reagan’s purported dealings with Iran to free American hostages during their transitions as precedent for proactive foreign policy engagements by an incoming administration. Most incoming administrations did similar things. No “red light” or “alarm bells” went off in her head when she head what Flynn was doing. The President-elect made his support for Israel very clear during the campaign and contrasted his position with President Obama, who he believed had not treated Israel fairly.

To be clear: She was only talking about Flynn’s request of Russia, on December 22, to help stave off a UN vote condemning Israeli illegal settlements. At that point in September 2017, she was still claiming not to remember the calls Flynn made on December 29 to undermine Obama’s sanctions on Russia itself. She wouldn’t unforget those calls until after Flynn pled guilty a month and a half later.

But to the extent that she was happy to acknowledge that Trump’s National Security Advisor — her boss — was undermining US policy, she rationalized it by comparing it to Nixon and Reagan’s efforts to undermine US policy for political gain.

Only, it wasn’t just Flynn involved in undermining Obama’s foreign policy. Records from Mueller’s investigation show the following sequence on December 22:

  • 6:02AM: A “senior advisor to a Republican Senator” writes McFarland, cc’ing Flynn and others, warning that the UNSC was “voting to condemn Israeli settlements at 10a.m.” yet Obama was silent
  • 8:46AM: Flynn and Kushner speak for four minutes
  • 8:53AM: Flynn calls Sergei Kislyak, then calls a representative of the Egyptian government and speaks to him for four minutes
  • 8:59AM Flynn speaks to Kislyak for three minutes
  • Flynn had “several additional” calls with the representative of the Egyptian government
  • Egypt delayed the vote

When the President’s son-in-law read a draft statement from Egypt noting that Abdel Fattah El-Sisi had spoken with Trump that day and had “agreed to lay the groundwork … to drive the establishment of a true peace between the Arabs and the Israelis,” Kushner asked whether they could alter the statement. “Can we make it clear that Al Sisi reached out to DJT so it doesn’t look like we reached out to intercede?” He then falsely claimed, on an email with others like Reince Priebus that, “This happens to be the true fact pattern and better for this to be out there.”

Only it wasn’t the true fact pattern. Flynn had reached out. Not Sisi.

Indeed, this incident was probably the start of Kushner’s Abraham Accords, which in turn probably relates to why the Saudis paid Kushner $2 billion after he left the White House.

And it wasn’t just Flynn involved. Flynn made all these calls from Mar-a-Lago. After Egypt delayed the vote, McFarland bragged that Flynn, “had worked it all day with trump from Mara lago.” [my emphasis]

Trump was involved too.

That December 22 transcript was withheld from those released in 2020. But on a later call with Kislyak — the one where he asked Kislyak to hold off on sanctions — analysts suggested “he may be using a speaker phone.” Had Flynn used a speaker phone on December 22, when he was in Mar-a-Lago with Trump, Trump would have been on that call as well.

The next day, McFarland bragged still some more. She suggested Flynn should leak to the press about,

the crucial role [he] played in working your contacts built up over the decades to get administration ambush Israel headed off. You worked the phones with Japanese Russians Egyptians Spanish etc and reversed a sure defeat for Israel by kerry/Obama/susan rice/samantha power cabal.

In 2016, McFarland wanted Flynn to get credit in the press that he had undermined US policy to help Israel. In 2017, she rationalized doing so because Nixon and Reagan had done similar things in their day.

I raise all this not just because I wonder whether Bill Barr killed the investigation into whether Egypt kept Trump’s campaign alive in September 2016 with a $10 million donation.

I raise all this because NYT, on the verge of Jimmy Carter’s death, has finally revealed who reached out to Iran to get them to hold Americans hostage longer to help Reagan win the White House.

It was former Texas Governor John Connolly.

It was 1980 and Jimmy Carter was in the White House, bedeviled by a hostage crisis in Iran that had paralyzed his presidency and hampered his effort to win a second term. Mr. Carter’s best chance for victory was to free the 52 Americans held captive before Election Day. That was something that Mr. Barnes said his mentor was determined to prevent.

His mentor was John B. Connally Jr., a titan of American politics and former Texas governor who had served three presidents and just lost his own bid for the White House. A former Democrat, Mr. Connally had sought the Republican nomination in 1980 only to be swamped by former Gov. Ronald Reagan of California. Now Mr. Connally resolved to help Mr. Reagan beat Mr. Carter and in the process, Mr. Barnes said, make his own case for becoming secretary of state or defense in a new administration.

What happened next Mr. Barnes has largely kept secret for nearly 43 years. Mr. Connally, he said, took him to one Middle Eastern capital after another that summer, meeting with a host of regional leaders to deliver a blunt message to be passed to Iran: Don’t release the hostages before the election. Mr. Reagan will win and give you a better deal.

Then shortly after returning home, Mr. Barnes said, Mr. Connally reported to William J. Casey, the chairman of Mr. Reagan’s campaign and later director of the Central Intelligence Agency, briefing him about the trip in an airport lounge.

At that moment of history, when Reagan won a victory in part thanks to Connally’s sacrifice of Americans’ freedom, KT McFarland was at the height of her credibility on foreign policy, fresh off going ABD in a PhD program. With the new Republican regime, she worked first for Texas Senator John Tower on the Senate Armed Services Committee, then for Cap Weinberger at DOD.

KT McFarland, who derives any foreign policy credibility to that moment created by an effort to harm US policy for political gain, likened what Trump did to what Reagan had done before.

Share this entry